On the importance of considering physical attacks when implementing lightweight cryptography Alexandre Adomnicai, Benjamin Lac, Anne Canteaut, Jacques Jean-Alain Fournier, Laurent Masson, Renaud Sirdey, Assia Tria To cite this version: Alexandre Adomnicai, Benjamin Lac, Anne Canteaut, Jacques Jean-Alain Fournier, Laurent Masson, et al.. On the importance of considering physical attacks when implementing lightweight cryptography. Lightweight Cryptography Workshop 2016 | NIST, NIST, Oct 2016, Gaithersburg, United States. cea- 01436006 HAL Id: cea-01436006 https://hal-cea.archives-ouvertes.fr/cea-01436006 Submitted on 16 Jan 2017 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. On the importance of considering physical attacks when implementing lightweight cryptography Alexandre Adomnicai1;6, Benjamin Lac2;6, Anne Canteaut5, Jacques J.A. Fournier3 Laurent Masson1, Renaud Sirdey4, and Assia Tria2 1 Trusted Objects, Rousset, France, {a.adomnicai, l.masson}@trusted-objects.com 2 CEA-Tech, Gardanne, France, 3 CEA-Leti, Grenoble, France, 4 CEA-List, Saclay, France, {benjamin.lac, renaud.sirdey, assia.tria, jacques.fournier}@cea.fr 5 Inria, Paris, France, [email protected] 6 ENSM-SE, Saint-Étienne, France, Abstract. Pervasive devices are usually deployed in hostile environments where they are physically accessible to attackers. As lightweight cryptography is designed for such devices, it has to be particularly resistant to physical attacks. In this paper, we illustrate how active and passive physical attacks against the lightweight block cipher PRIDE can be carried. A side channel attack and a fault attack have been successfully implemented on the same software implementation of the algorithm. In both cases, we were able to recover the entire encryption key. First, we present our attacks, then we analyze them in terms of complexity and feasibility and finally, we discuss possible countermeasures. Keywords: LWC · PRIDE · Physical attacks · CEMA · DFA. 1 Introduction Everyday, more objects are turned into interconnected pervasive devices. The expansion of the Internet of Things (IoT) brings many benefits but also raises a number of problems concerning security and privacy. Security is one of the biggest barriers to IoT adoption. To tackle this challenge, lightweight cryptography (LWC) is investigated in order to address IoT security issues while seeking the best compromise between security, power consumption, high performance and low footprint. During the last years, several lightweight block ciphers have been proposed, for example PRIDE [3], PRESENT [9], CLEFIA [33], PRINCE [11], KLEIN [15], SIMON [5] or SPECK [5]. LWC will be embedded into the IoT devices which shall have to store and handle secret/sensitive cryptographic keys at some points. The security of these keys within the device has to be guaranteed throughout the life cycle of the device (i.e. from the device’s manufacturing through the personalization stage up to its end of life), which may last several years. In the meantime, the device will be in the field and as it can be a hostile environment (i.e. physically accessible to attackers), physical attacks must be taken in account. Indeed, resistance against side channel attacks is now considered as a valuable property which should be taken in consideration when designing lightweight ciphers, as underlined by the ciphers FIDES [7], PICARO [26], Zorro [17] and the LS-designs family [18]. Although hardware implementations are more efficient in all aspects (performances, power consumption and security) than software ones, design and study of software-oriented ciphers is nevertheless important since these implementations are widely used in practice because of their flexibility and ease of development. In this paper we analyze the resistance of PRIDE against physical attacks because nowadays, when looking at software implementations, it is one of the most efficient lightweight block ciphers [4] as shown by the performance comparisons given in [3,4]. In this paper we first present the PRIDE algorithm before introducing physical attacks. Then we introduce the two attacks that have been put into practice before analyzing them in terms of efficiency and feasibility. Finally we discuss countermeasures that can be implemented to thwart such attacks before concluding the paper with some perspectives. 2 The PRIDE block cipher PRIDE is an iterative block cipher composed of 20 rounds and introduced by Albrecht & al. [3] in 2014. It takes as input a 64-bit block and uses a 128-bit key k = k0jjk1. The first 64 bits k0 are used for pre- and post-whitening. The last 64 bits k1 are used by a key schedule algorithm to produce the subkeys fr(k1) for each round r. The key schedule adds round-constants to parts of the key. We denote by k1i the i-th byte of k1 then (0) (1) (2) (3) fr(k1) = k10 jjgr (k11 )jjk12 jjgr (k13 )jjk14 jjgr (k15 )jjk16 jjgr (k17 ) for round r with (0) gr (x) = (x + 193r) mod 256 (1) gr (x) = (x + 165r) mod 256 (2) gr (x) = (x + 81r) mod 256 (3) gr (x) = (x + 197r) mod 256 The design of PRIDE is close to the one of a LS-design, a concept that was introduced by Grosso & al [18] in 2014, the only differences being that it uses an additional key for pre- and post-whitening, several matrices for the linear layer and has no linear layer on the last round. In this paper, we chose to present PRIDE as a LS-design in order to explain more simply our analysis.The inner state of the cipher, as well as the plaintext, ciphertext, and key, are all represented as a 4 × 16 bits array. In this paper, B[n] denotes the n-th nibble (4 bits) of a binary word B while Bn denotes the i-th byte of B. Moreover, the nibbles’ rows and columns are numbered from left to right starting from 1. The following notations are used for the intermediate values of the state within a round function: Ir the input of the r-th round Xr the state after the key addition layer of the r-th round Yr the state after the substitution layer of the r-th round input Or the output of the r-th round A round r such that 1 ≤ r ≤ 19 is composed of the following steps: i. XORing the current n-bit subkey fr(k1) with the state: Xr = Ir ⊕ fr(k1), ii. Applying the 4-bit S-box S, which definition is given in AppendixC, to each column of the state (i.e. apply the substitution layer S−layer to the state): Yr = S−layer(Xr), iii. Multiplying each row by a matrice Li, called L-box, given in [3] for 0 ≤ i ≤ 3 (i.e. apply the linear layer L−layer to the state): Or = L−layer(Yr). The last round simply consists of the first two steps (i.e. without the linear layer). In order to encrypt a plaintext M, the cipher performs a XOR between M and P(k0), where P is the permutation layer given in [3]. It then applies the 20 rounds as previously described, and finally applies once again a XOR between M and P(k0). Figure1 shows the representation of PRIDE inner state with frames showing the inputs of S-box and the input of L-box. 0 1 s1;1 ··· s1;16 Apply L-box B C B . .. C Apply S-box B . C @ A s4;1 ··· s4;16 Figure 1: Inner matrix state of PRIDE In this paper, we denote by S1 ··· S16 the inner state given in Figure1 such that Si consists of the nibble s1;i ··· s4;i for all i. For example, the hexadecimal value 0xe8d3157f246e80cb denotes the inner state given in Figure2. 2 011101000110100111 B0001010101111111C B C @0010010001101110A 1000000011001011 Figure 2: Inner state 0xe8d3157f246e80cb 3 Physical attacks Cryptographic algorithms are usually constructed to resist to algebraic (mathematical) cryptanalysis or exhaustive key searching by future computers. However, most cryptographic models do not cover physical attacks which target the cryptographic primitive’s implementation. Physical attacks can be divided into two classes: passive attacks and active ones. Active attacks disturb the operation of a device or try to reverse-engineer functions by analysing the chip at the logic level. Passive attacks, also called side channel attack (SCA) [22], can be divided into timing attacks [14], and interpretation of one or more traces [28,24](i.e. recording of the power or electromagnetic emanation while a cryptographic primitive is running on the device). In this paper, we present an attack from each category (passive and active) on the PRIDE lightweight block cipher. 3.1 Side-channel attacks Since the publication of differential power analysis (DPA) [21], it is public knowledge that the analysis of a power trace obtained when executing a cryptographic primitive might reveal information about the secret involved. A few years later, correlation power analysis (CPA) has been widely adopted over DPA as it requires fewer traces and is more efficient [12]. The principle is to recover part of the secret key by targeting a specific intermediate state of the algorithm, and try to predict its value by making hypotheses on the portion of the key involved. Then, to uncover the link between the predictions and the traces, the Pearson correlation coefficient between these two variables is computed using an appropriate leakage model (usually based on the Hamming weight or the Hamming distance depending on the platform and the targeted implementation).